Full screen Java popup

chuck · August 08, 2007, 02:31:21 PM

http://hackademix.net/2007/08/07/java-evil-popups

Kind of scary, but I can still see my menu bar on a mac, so I know what's real and what's not. Also, a simple cmd+w closes it, so much for not being able to close it!

Newby · August 08, 2007, 02:48:18 PM

... and if you disable java altogether, there's no problem! :D

iago · August 08, 2007, 02:52:31 PM

Noscript for the win. :)

Hdx · August 08, 2007, 10:12:28 PM

I was able to ahve ti go truly fullscreen only when I
1) Unlocked my tray
2) closed all 'docked' windows (Trillian, wigets, etc..)
So..? Not that impressive.
~Hdx

iago · August 08, 2007, 10:18:42 PM

A lot of people don't have docked programs, so it is rather impressive. And even if it covers your browser only, if you use this to present the user with a fake browser, you can potentially do a lot of damage.

Joe · August 15, 2007, 08:40:53 AM

In case anyone's wondering, I tried this on my dual monitor set up. When I ran the JavaScript test (I'm on Firefox, so, Gecko-based) the PWND window showed up on my default monitor, but the taskbar still showed. My secondary monitor, which I (luckily?) was browsing on at the time, was unaffected.

Apparently I'm in the safe zone. And congrats to iago on 12,000 posts.

EDIT -

Code Select

function popup() {
  if(typeof(java) == "undefined") {
    window.onload = function() {
      document.getElementById("nojava").innerHTML = 
         "Your browser doesn't support LiveConnect or you've got Java disabled!";
    };
    return;
  }
  var w = new java.awt.Window(new java.awt.Frame());
  var label = new java.awt.Label("PWND");
  label.setFont(new java.awt.Font("Serif", java.awt.Font.BOLD, 80));
  label.setAlignment(label.CENTER);
  label.setForeground(java.awt.Color.white);
  w.setBackground(java.awt.Color.black);
  w.setLayout(new java.awt.BorderLayout());
  w.add(label, java.awt.BorderLayout.CENTER);
  w.setLocation(0, 0);
  var d = java.awt.Toolkit.getDefaultToolkit().getScreenSize();
  d.height += 80;
  w.setSize(d);
  w.setVisible(true);
}

And I'm sort of laughing a bit now that I realize this can be exploited in Firefox and not Internet Exploder. Wait, what?!?!

iago · August 15, 2007, 08:50:41 AM

This is reportedly exploitable on all major browsers (IE, FF, Opera).

Joe · August 16, 2007, 02:57:01 AM

Eh, it's much easier in Firefox, since in IE you need to download the whole applet and whatnot. It's still as easy to get sucked in, but Firefox facilitates it being done easier for the programmer.

Chavo · August 16, 2007, 11:37:56 AM

Quote from: iago on August 08, 2007, 02:52:31 PM
Noscript for the win. :)

Noscript is not worth the huge pain in the ass that it is. This should be a fairly easy to fix exploit.

iago · August 16, 2007, 12:43:59 PM

Quote from: unTactical on August 16, 2007, 11:37:56 AM
Quote from: iago on August 08, 2007, 02:52:31 PM
Noscript for the win. :)
Noscript is not worth the huge pain in the ass that it is. This should be a fairly easy to fix exploit.

I don't consider it a pain at all, I have it installed on all my computers. Most good sides (including the SMF forum) can operate 100% without JavaScript.

Hitmen · August 16, 2007, 12:51:55 PM

I think the internet isn't worth the huge pain in the ass that it is without noscript :|

Clan x86

News:

Full screen Java popup

chuck

Newby

iago

Hdx

iago

Joe

iago

Joe

Chavo

iago

Hitmen